---

CCT2019: A Beginner's Guide & Writeup

Room Theme: This room is a "mixed bag" challenge. It tests your ability to switch between different skill sets: analyzing Linux programs, reversing Windows (.NET) apps, finding hidden data in images (Steganography), and breaking classic codes (Cryptography).

---

Task 1: The Linux Executable (ELF)

The Goal: Find a secret text hidden inside a program file named raw2.bin.

Concept: Decompiling

Computers read "Machine Code" (1s and 0s). Humans read "Source Code" (C, Python). When a programmer compiles code, it turns into machine code. To solve this, we need to Decompile it—turn the machine code back into something readable.

Tools Used

• Ghidra: A powerful tool by the NSA that turns binary files back into readable C-like code.

Step-by-Step

1. Identification: We run the file command in the terminal (file raw2.bin). It tells us this is an ELF file, which is just the technical name for a Linux program.

2. Finding the Spot: We open the file in Ghidra. Since we don't know where to look, we search for strings (text) inside the program. We find "Connected to my server!", which leads us to the main function.

3. The Logic Puzzle: Inside the code, we see a weird-looking string. The program processes this string in two steps:

   • Step A: It adds/subtracts 13 from every letter. This is a famous cipher called ROT13 (Rotate 13). It simply shifts the alphabet by half.

   • Step B: It reverses the string (reads it backward).

The Solution: We take the weird string, apply ROT13, reverse it, and wrap it in CCT{...}.

---

Task 2: The Windows App (.NET)

The Goal: Get a flag from a file named re3.

Concept: Managed Code & XOR

Unlike the previous task, this program is built with C# (.NET). We can't use Ghidra effectively here because .NET is "managed code." We need a tool that speaks C#, like ILSpy.

The encryption used here relies on XOR. Think of XOR like a light switch: if you flip it once, lights go on. Flip it again with the same key, lights go off (you get your original data back).

Here is a beginner-friendly writeup designed to explain how and why we use specific tools, making the concepts easy to grasp for someone just starting in cybersecurity.

---

CCT2019: A Beginner's Guide & Writeup

Room Theme: This room is a "mixed bag" challenge. It tests your ability to switch between different skill sets: analyzing Linux programs, reversing Windows (.NET) apps, finding hidden data in images (Steganography), and breaking classic codes (Cryptography).

---

Task 1: The Linux Executable (ELF)

The Goal: Find a secret text hidden inside a program file named raw2.bin.

Concept: Decompiling

Computers read "Machine Code" (1s and 0s). Humans read "Source Code" (C, Python). When a programmer compiles code, it turns into machine code. To solve this, we need to Decompile it—turn the machine code back into something readable.

Tools Used

• Ghidra: A powerful tool by the NSA that turns binary files back into readable C-like code.

Step-by-Step

1. Identification: We run the file command in the terminal (file raw2.bin). It tells us this is an ELF file, which is just the technical name for a Linux program.

2. Finding the Spot: We open the file in Ghidra. Since we don't know where to look, we search for strings (text) inside the program. We find "Connected to my server!", which leads us to the main function.

3. The Logic Puzzle: Inside the code, we see a weird-looking string. The program processes this string in two steps:

   • Step A: It adds/subtracts 13 from every letter. This is a famous cipher called ROT13 (Rotate 13). It simply shifts the alphabet by half.

   • Step B: It reverses the string (reads it backward).

The Solution: We take the weird string, apply ROT13, reverse it, and wrap it in CCT{...}.

---

Task 2: The Windows App (.NET)

The Goal: Get a flag from a file named re3.

Concept: Managed Code & XOR

Unlike the previous task, this program is built with C# (.NET). We can't use Ghidra effectively here because .NET is "managed code." We need a tool that speaks C#, like ILSpy.

The encryption used here relies on XOR. Think of XOR like a light switch: if you flip it once, lights go on. Flip it again with the same key, lights go off (you get your original data back).

Shutterstock

Step-by-Step

1. Decompiling: We open the file in ILSpy. We find a function called goodBoy that decides if we win or lose.

2. The Distraction: The code asks us to find 4 numbers that add up to 711. This is a hard math problem intended to waste our time.

3. The Bypass: We look at how the flag is made. The code takes a list of numbers and XORs them with a key (0-711).

4. The Script: Instead of doing the math, we write a tiny Python script to try every number from 0 to 711. Since computers are fast, this takes less than a second. The correct key reveals a 32-character hex string.

Partial Flag: 45c2... (32 chars long)

---

Task 3: The Hidden Image (Steganography)

The Goal: Dig through layers of hidden secrets starting with a picture of an Enigma machine.

Concept: Layers of Hiding

CTF challenges often hide files inside other files. This is called Steganography. We peel the layers like an onion.

Step-by-Step

1. Layer 1 (Metadata): We use a tool called Exiftool to look at the image details. It reveals Morse code in the description. (This turns out to be a decoy/warmup).

2. Layer 2 (Visual Hiding): We open the image in GIMP (like Photoshop). By using the Threshold tool on the Red Channel, we see hidden text written in the visual noise: 0ni0n_....

3. Layer 3 (Embedded Files): We use Steghide, a tool specifically for finding data hidden inside image pixels. It asks for a password. We brute-force it (or use a hint) to find the password Z10N0101. This extracts a zip file.

4. Layer 4 (The Enigma): Inside the zip, we find a config.txt and a cipher. This configures a WWII Enigma Machine. We use an online simulator (Cryptii) to plug in the settings (Rotors, Rings, Plugs) and decode the message.

The Solution: The decoded text (without spaces) is the password to unzip the final flag.

---

Task 4: The Crypto Trio

The Goal: Solve three short cipher puzzles.

4a: Substitution (Keyboard Layouts)

• The Puzzle: The text looks like garbage, but the pattern of letters matches English.

• The Trick: The hint mentions "Layout." This refers to keyboards. The user typed on a Dvorak keyboard (a different layout than QWERTY), but the computer read it as QWERTY.

• Solution: We map the keys back to find the password dvorak....

4b: Transposition (Rail Fence)

• The Puzzle: The hint warns about "straddling the fence" and "5 rails."

• Concept: A Rail Fence Cipher writes the message in a zig-zag pattern up and down "rails" and then reads them off line-by-line. It scrambles the positions of letters, not the letters themselves.

• Solution: We use an online decoder set to 5 Rails to unscramble the story about a goose.

4c: Encoding (Run-Length Encoding)

• The Puzzle: A long string of numbers like 3 1 2 5....

• Concept: This is RLE, a simple way to compress data. 3 means "three 0s", 1 means "one 1", 2 means "two 0s".

• Solution: We convert the counts into binary (0s and 1s), and then convert that binary into text (ASCII) to get the final flag.